Regarding the current 2.6.8 kernel, wouldn't it be a better idea tomove the CAP_SYS_RAWIO check to open time instead of when the ioctl iscalled? This would require a new flag somewhere in the file structureI suppose, e.g. file->f_mode & FMODE_RAWIO.

That would allow a suid root application to open the cdrom and thendrop all capabilities including RAWIO and would probably fit betterinto how cdrecord expects things to work.